I won't add to the toxicity of the comments found in the article.
Has anybody who has worked on the Aadhar system have a presence on HN? The cynic in me wants to believe that the 'system' was nothing more than a simple crud app with the front end locked away under a username and password. Minimal effort, minimum spent.
Even large Non-Tech corporations are known for really insecure systems, insufficient password protection, easily guessed usernames etc. all in the name of saving some $ on development. And to think this DB was not even meant for profit in the first place!
Did they (the org that built Aadhar) commit the same mistakes or does this look like an inside job (purely for profit, with no malicious intent)?
I want to be wrong. I want this to be an 'attack' rather than just an 'pay for access' method.
The corruption comes with full service. Not just information leak, but information falsification, introducing fake people into the system, false aadhaar cards (and therefore passports), the works. And if you buy 5x access (ie. $50) it comes even more full service: install software on official computers (presumably for remote control), so that unlimited access is available.
And of course, we know that the reverse exists as well : refusal of service for legitimate purposes unless bribes are provided.
Meanwhile banks give anyone with your passport access to your bank account. Which sounds reasonable until you read ... A new epidemic is spreading across India. Find a "rich" person, figure out where they bank, get an ID card in their name (from the real government, I might add), and phone in a bank transfer or just get a new bank card issued from the bank. Of course, the government will be taking full responsibility I'm sure.
But surprisingly, none of this is a serious concern to the government, which insists on simply lying about the problems. They promise to investigate though, they promise.
If you target just middle-class people, no biggie...
This is by design. I believe Nilekani took a long hard look at the trade off between privacy and achievability when creating aadhar and decided to fob off responsibility - moral and practical - to other people.
As a result the agency itself, just provides access to the DB and protects the biometric DB, and gives access to other agencies to use the system.
So the issue is always going to be the many myriad agencies and states connecting to the system, and now also the state databases which are being created.
https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target...
But do you know they were hacked? Through their HVAC vendor:
https://krebsonsecurity.com/2014/02/target-hackers-broke-in-...
Now the defense - "It wasn't us but the HVAC guys who had weak security" would have been stupid because they were responsible. They were fined 18.5 million dollars:
https://www.usatoday.com/story/money/2017/05/23/target-pay-1...
So using this kind of logic is like being an ostrich. And UIDAI for better or worse is being an ostrich using the same logic - "It's not us but them" over and over again.
If it wasn't for the mandatory stuff government is doing, people would have ignored and junked Aadhar a long time ago.
If a Microsoft employee gave people access to your mailbox, and they used it to get $5000 from your bank account, would you consider them responsible ? Because I sure would.
This is a similar situation, except of course, that no Indian citizen has any choice in the matter: they cannot change their ID card provider, nor can they demand banks not give access that way : both have been legislated.
So when banks gave access to criminals with the (official, government-issued, through bribed officials) ID cards of the owners of those bank accounts, I feel like it is very much the case that the government is responsible, in at least 3 ways.
1) it was government officials who gave people access to that bank account
2) the banks tried to stop it, but are legally forced to give access to bank accounts to people holding those ID cards
3) the government is refusing to fix these issues, or secure their side
4) and the least way, the government is supposed to stop criminals. Which they did in a few cases, and did not do in thousands of other cases ...
These concerns were generally met with great hostility; UIDAI has relentlessly pursued to silence people sometimes by threatening them with legal proceedings.
ORF compiled a list of leaked UID numbers (~100 million) sometime back. Many UID numbers were dumped onto the Internet by clueless public servants. UIDAI promptly sent them a cease-and-desist order (or something to that effect).
https://www.youtube.com/watch?v=xU0bTAa_djc
UIDAI was implemented, very un-democratically, first by the former ruling coalition, and is now being promoted to ridiculous levels by the current political elites. All this has been done under the watchful eyes of the billionaire, Nandan Nilekani. He was able to engineer this junk system past both the legislative houses and courts multiple times over the course of the previous decade. UIDAI has only receive mandate well after it was already pushed out onto the people through underhanded tactics.
Usha Ramanathan and others have been following this development from the start. It's increasingly becoming obvious that UIDAI was really only a means for creating a new Orwellian state, where everything can be turned off at the whim of some perturbed politician; where all your phone/bank numbers are at the mercy of some wrathful God in Delhi (and likely as not outside of it). This theory goes well with recent statements coming from the Indian state apparatus about the abolition of cash/untracked assets.
When it comes to power, there is no developed and developing.
If I had to design this, I would have added a two factor access to each citizens data which can only be accessed with their consent. But this model doesn't let the government departments access all the data at will.
I've followed the program from inception. The real genius lies in 2 things, little of which have to do with tech.
The first genius lies in the design of responsibility and liability of the Aadhar authority.
The authority is impervious to assault legally - it is the only person who can mount a legal challenge on the misuse of aadhar numbers.
The authority also farms out all responsibility of usage of aadhar to "other entities". Thus it can never be held accountable since it only "provides other people a tool". What they do with it, is not the Agency's issue.
This is how its engineers can talk on various privacy channels as being fully for privacy and security, the agency itself can be a secure keeper for the biometric information - but the actual harm being done is farmed out to other agencies who can then take the blame.
This now makes all the numbers useless, since all the data stored may have been duplicated and the means to produce fakes is already out of the box. Somehow, the world's greatest bastion of humility will not submit to omnipresent technical surveillance - should we be at all surprised? India is famously corrupt. Even with rate limiting, search scope limitation, and other techniques it would appear that such data can never be truly secured.
UIDAI (Outlook) : https://www.outlookindia.com/website/story/uidai-denies-biom... Tribune's Response. http://www.tribuneindia.com/news/nation/uidai-says-tribune-s...
So, "These groups targeted over 3 lakh village-level enterprise (VLE) operators" is referring to 300,000 operators. That gives you an idea of the scale here.
